{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2021-22902","title":"Title"},{"category":"description","text":"The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2021-22902","url":"https://www.suse.com/security/cve/CVE-2021-22902"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1185771 for CVE-2021-22902","url":"https://bugzilla.suse.com/1185771"}],"title":"SUSE CVE CVE-2021-22902","tracking":{"current_release_date":"2025-10-07T02:37:11Z","generator":{"date":"2023-02-15T03:45:50Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2021-22902","initial_release_date":"2023-02-15T03:45:50Z","revision_history":[{"date":"2023-02-15T03:45:50Z","number":"2","summary":"Current version"},{"date":"2025-01-01T04:44:19Z","number":"3","summary":"Current version"},{"date":"2025-02-15T05:18:47Z","number":"4","summary":"Current version"},{"date":"2025-02-17T05:44:36Z","number":"5","summary":"Current version"},{"date":"2025-03-15T09:09:26Z","number":"6","summary":"Current version"},{"date":"2025-04-25T04:52:38Z","number":"7","summary":"Current version"},{"date":"2025-10-07T02:37:11Z","number":"8","summary":"Current version"}],"status":"interim","version":"8"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15","product":{"name":"SUSE Linux Enterprise High Availability Extension 15","product_id":"SUSE Linux Enterprise High Availability Extension 15","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP1","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP1","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP2","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP2","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP2","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp2"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP All-in-One 11 SP4","product":{"name":"SUSE Linux Enterprise Server for SAP All-in-One 11 SP4","product_id":"SUSE Linux Enterprise Server for SAP All-in-One 11 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:suse_sles_sap:11:sp4"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 7","product":{"name":"SUSE OpenStack Cloud 7","product_id":"SUSE OpenStack Cloud 7","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:7"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 8","product":{"name":"SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 9","product":{"name":"SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:9"}}},{"category":"product_name","name":"WebYaST for SLE-11","product":{"name":"WebYaST for SLE-11","product_id":"WebYaST for SLE-11","product_identification_helper":{"cpe":"cpe:/a:suse:sle-11-webyast:1.3"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"ruby2.1-rubygem-actionpack-4_2","product":{"name":"ruby2.1-rubygem-actionpack-4_2","product_id":"ruby2.1-rubygem-actionpack-4_2","product_identification_helper":{"purl":"pkg:rpm/suse/ruby2.1-rubygem@actionpack-4_2"}}},{"category":"product_version","name":"ruby2.5-rubygem-actionpack-5_1","product":{"name":"ruby2.5-rubygem-actionpack-5_1","product_id":"ruby2.5-rubygem-actionpack-5_1","product_identification_helper":{"purl":"pkg:rpm/suse/ruby2.5-rubygem@actionpack-5_1"}}},{"category":"product_version","name":"ruby2.7-rubygem-actionpack-6.0-6.0.4-1.2","product":{"name":"ruby2.7-rubygem-actionpack-6.0-6.0.4-1.2","product_id":"ruby2.7-rubygem-actionpack-6.0-6.0.4-1.2","product_identification_helper":{"purl":"pkg:rpm/suse/ruby2.7-rubygem-actionpack-6.0@6.0.4-1.2"}}},{"category":"product_version","name":"ruby3.0-rubygem-actionpack-6.0-6.0.4-1.2","product":{"name":"ruby3.0-rubygem-actionpack-6.0-6.0.4-1.2","product_id":"ruby3.0-rubygem-actionpack-6.0-6.0.4-1.2","product_identification_helper":{"purl":"pkg:rpm/suse/ruby3.0-rubygem-actionpack-6.0@6.0.4-1.2"}}},{"category":"product_version","name":"ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1","product":{"name":"ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1","product_id":"ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/ruby3.1-rubygem-actionpack-6.0@6.0.4.4-1.1"}}},{"category":"product_version","name":"rubygem-actionpack-3_2","product":{"name":"rubygem-actionpack-3_2","product_id":"rubygem-actionpack-3_2","product_identification_helper":{"purl":"pkg:rpm/suse/rubygem@actionpack-3_2"}}},{"category":"product_version","name":"rubygem-actionpack-4_2","product":{"name":"rubygem-actionpack-4_2","product_id":"rubygem-actionpack-4_2","product_identification_helper":{"purl":"pkg:rpm/suse/rubygem@actionpack-4_2"}}},{"category":"product_version","name":"rubygem-actionpack-5_1","product":{"name":"rubygem-actionpack-5_1","product_id":"rubygem-actionpack-5_1","product_identification_helper":{"purl":"pkg:rpm/suse/rubygem@actionpack-5_1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"ruby2.7-rubygem-actionpack-6.0-6.0.4-1.2 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby2.7-rubygem-actionpack-6.0-6.0.4-1.2"},"product_reference":"ruby2.7-rubygem-actionpack-6.0-6.0.4-1.2","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby3.0-rubygem-actionpack-6.0-6.0.4-1.2 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby3.0-rubygem-actionpack-6.0-6.0.4-1.2"},"product_reference":"ruby3.0-rubygem-actionpack-6.0-6.0.4-1.2","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1"},"product_reference":"ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15","product_id":"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-actionpack-5_1"},"product_reference":"ruby2.5-rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15","product_id":"SUSE Linux Enterprise High Availability Extension 15:rubygem-actionpack-5_1"},"product_reference":"rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15 SP1","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-actionpack-5_1"},"product_reference":"ruby2.5-rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15 SP1","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP1:rubygem-actionpack-5_1"},"product_reference":"rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15 SP2","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionpack-5_1"},"product_reference":"ruby2.5-rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15 SP2","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP2:rubygem-actionpack-5_1"},"product_reference":"rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-3_2 as component of SUSE Linux Enterprise Server for SAP All-in-One 11 SP4","product_id":"SUSE Linux Enterprise Server for SAP All-in-One 11 SP4:rubygem-actionpack-3_2"},"product_reference":"rubygem-actionpack-3_2","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP All-in-One 11 SP4"},{"category":"default_component_of","full_product_name":{"name":"ruby2.1-rubygem-actionpack-4_2 as component of SUSE OpenStack Cloud 7","product_id":"SUSE OpenStack Cloud 7:ruby2.1-rubygem-actionpack-4_2"},"product_reference":"ruby2.1-rubygem-actionpack-4_2","relates_to_product_reference":"SUSE OpenStack Cloud 7"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-4_2 as component of SUSE OpenStack Cloud 7","product_id":"SUSE OpenStack Cloud 7:rubygem-actionpack-4_2"},"product_reference":"rubygem-actionpack-4_2","relates_to_product_reference":"SUSE OpenStack Cloud 7"},{"category":"default_component_of","full_product_name":{"name":"ruby2.1-rubygem-actionpack-4_2 as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-actionpack-4_2"},"product_reference":"ruby2.1-rubygem-actionpack-4_2","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-4_2 as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:rubygem-actionpack-4_2"},"product_reference":"rubygem-actionpack-4_2","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"ruby2.1-rubygem-actionpack-4_2 as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-actionpack-4_2"},"product_reference":"ruby2.1-rubygem-actionpack-4_2","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-4_2 as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:rubygem-actionpack-4_2"},"product_reference":"rubygem-actionpack-4_2","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-3_2 as component of WebYaST for SLE-11","product_id":"WebYaST for SLE-11:rubygem-actionpack-3_2"},"product_reference":"rubygem-actionpack-3_2","relates_to_product_reference":"WebYaST for SLE-11"}]},"vulnerabilities":[{"cve":"CVE-2021-22902","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2021-22902"}],"notes":[{"category":"general","text":"The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.","title":"CVE description"}],"product_status":{"known_not_affected":["SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-actionpack-5_1","SUSE Linux Enterprise High Availability Extension 15 SP1:rubygem-actionpack-5_1","SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionpack-5_1","SUSE Linux Enterprise High Availability Extension 15 SP2:rubygem-actionpack-5_1","SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-actionpack-5_1","SUSE Linux Enterprise High Availability Extension 15:rubygem-actionpack-5_1","SUSE Linux Enterprise Server for SAP All-in-One 11 SP4:rubygem-actionpack-3_2","SUSE OpenStack Cloud 7:ruby2.1-rubygem-actionpack-4_2","SUSE OpenStack Cloud 7:rubygem-actionpack-4_2","SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-actionpack-4_2","SUSE OpenStack Cloud Crowbar 8:rubygem-actionpack-4_2","SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-actionpack-4_2","SUSE OpenStack Cloud Crowbar 9:rubygem-actionpack-4_2","WebYaST for SLE-11:rubygem-actionpack-3_2"],"recommended":["openSUSE Tumbleweed:ruby2.7-rubygem-actionpack-6.0-6.0.4-1.2","openSUSE Tumbleweed:ruby3.0-rubygem-actionpack-6.0-6.0.4-1.2","openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1"]},"references":[{"category":"external","summary":"CVE-2021-22902","url":"https://www.suse.com/security/cve/CVE-2021-22902"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1185771 for CVE-2021-22902","url":"https://bugzilla.suse.com/1185771"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:ruby2.7-rubygem-actionpack-6.0-6.0.4-1.2","openSUSE Tumbleweed:ruby3.0-rubygem-actionpack-6.0-6.0.4-1.2","openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1"]}],"scores":[{"cvss_v3":{"baseScore":6.5,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["openSUSE Tumbleweed:ruby2.7-rubygem-actionpack-6.0-6.0.4-1.2","openSUSE Tumbleweed:ruby3.0-rubygem-actionpack-6.0-6.0.4-1.2","openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1"]}],"threats":[{"category":"impact","date":"2021-05-05T17:37:23Z","details":"moderate"}],"title":"CVE-2021-22902"}]}